CN106549820A - Recognize method, device, flow cleaning equipment and the system of network loop - Google Patents
Recognize method, device, flow cleaning equipment and the system of network loop Download PDFInfo
- Publication number
- CN106549820A CN106549820A CN201510612181.8A CN201510612181A CN106549820A CN 106549820 A CN106549820 A CN 106549820A CN 201510612181 A CN201510612181 A CN 201510612181A CN 106549820 A CN106549820 A CN 106549820A
- Authority
- CN
- China
- Prior art keywords
- address
- destination
- flow
- network
- loop
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004140 cleaning Methods 0.000 title claims abstract description 61
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000004083 survival effect Effects 0.000 claims abstract description 52
- 238000001514 detection method Methods 0.000 claims description 26
- 238000010926 purge Methods 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 10
- 238000012806 monitoring device Methods 0.000 claims 1
- 230000006855 networking Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 20
- 230000003247 decreasing effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000005406 washing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/18—Loop-free operations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/20—Hop count for routing purposes, e.g. TTL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5076—Update or notification mechanisms, e.g. DynDNS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a kind of method of identification network loop, device, flow cleaning equipment and system, and the method includes:Survival duration is determined from trailed network traffics less than the first data message of the first predetermined threshold value and the purpose IP address of first data message are determined;It is determined that in the first setting time section after the purpose IP address of first data message, it is determined that needing of receiving is sent to multiple second data messages of the purpose IP address;Determine that the purpose IP address whether there is network loop according to the survival duration of the plurality of second data message.Network loop can be found in time in the technical scheme of the application and stops drawing the IP address that there is network loop, it is to avoid networking loop affects network availability.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to a method, an apparatus, a flow cleaning device, and a system for identifying a network loop.
Background
With the development of networks, attack traffic is increasing, and in a bypass deployment mode, traffic is dynamically directed to cleaning Distributed Denial of Service (DDoS) cleaning equipment through dynamic routes such as a static route and a Border Gateway Protocol (BGP) route, and the DDoS cleaning equipment injects the traffic back into a link through various traffic injection modes. However, in the bypass deployment mode, a DDoS cleaning device may cause a network to have a loop due to a fault in a policy routing configuration that pulls an address fault of an interconnection Protocol (Internet Protocol, abbreviated as IP) between networks, thereby making the network unavailable.
Disclosure of Invention
In view of this, the present application provides a new technical solution, which can identify a network loop through a data packet, and avoid that the network loop affects network availability due to policy routing configuration.
In order to achieve the above purpose, the present application provides the following technical solutions:
according to a first aspect of the present application, a method of identifying a network loop is provided, comprising:
determining a first data message with survival time length less than a first preset threshold value from the dragged network flow and determining a destination IP address of the first data message;
determining a plurality of received second data messages which need to be sent to the destination IP address in a first set time period after the destination IP address of the first data message is determined;
and determining whether a network loop exists in the destination IP address according to the survival time of the plurality of second data messages.
According to a second aspect of the present application, there is provided an apparatus for identifying a network loop, comprising:
the first determining module is used for determining a first data message with survival time length smaller than a first preset threshold value from the dragged network flow and determining a destination IP address of the first data message;
a second determining module, configured to determine, within a first set time period after the first determining module determines the destination IP address of the first data packet, a plurality of received second data packets that need to be sent to the destination IP address;
and a third determining module, configured to determine whether a network loop exists in the destination IP address according to the survival durations of the plurality of second data packets determined by the second determining module.
According to a third aspect of the invention, there is provided a flow cleaning apparatus comprising:
a processor; a memory for storing the processor-executable instructions; the processor is used for determining a first data message with survival time length smaller than a first preset threshold value from the dragged network flow and determining a destination IP address of the first data message; determining a plurality of received second data messages which need to be sent to the destination IP address in a first set time period after the destination IP address of the first data message is determined; and determining whether a network loop exists in the destination IP address according to the survival time of the plurality of second data messages.
According to a third aspect of the present invention, a flow cleaning device is provided, which includes a flow detection device and the apparatus for identifying a network loop according to the above technical solution; wherein,
the flow detection device is used for detecting data messages which belong to attack flow in the network flow passing through the router;
and the device for identifying the network loop is used for identifying the network loop through TTL in the data message belonging to the attack flow and storing the target IP address with the network loop in a loop traction blacklist.
According to a fourth aspect of the present invention, there is provided a flow cleaning system comprising: flow detection equipment and flow cleaning equipment; wherein,
the flow detection device is used for detecting data messages belonging to attack flow in the network flow of the router mirror image;
and the flow cleaning equipment is used for identifying a network loop through the survival time in the data message belonging to the attack flow and stopping cleaning the network flow with the destination IP address of the network loop.
According to a fifth aspect of the present invention, there is provided a flow cleaning system comprising: flow detection equipment and flow cleaning equipment; wherein,
the flow detection device is used for detecting data messages belonging to attack flow in network flow mirrored by a router and identifying a network loop through survival time length in the data messages belonging to the attack flow;
and the flow cleaning equipment is used for stopping cleaning the network flow of the target IP address of the network loop after the flow detection equipment determines that the target IP address of the data message belonging to the attack flow has the network loop.
According to the technical scheme, the first data message with the survival time length smaller than the first preset threshold value is determined from the dragged network flow, the target IP address of the first data message is determined, whether the target IP address has a network loop or not is determined according to the survival time lengths of the second data messages which are required to be sent to the target IP address, the network loop can be found in time, the IP address with the network loop can be stopped being dragged, and the network availability is prevented from being influenced by the network loop.
Drawings
FIG. 1A is a schematic diagram of a network architecture to which embodiments of the present application are applicable;
fig. 1B is a second schematic diagram of a network architecture to which the embodiment of the present application is applicable;
FIG. 2 illustrates a flow diagram of a method of identifying network loops in accordance with an exemplary embodiment of the present invention;
FIG. 3 shows a flow diagram of a method of identifying a network loop according to yet another exemplary embodiment of the invention;
FIG. 4 shows a flow diagram of a method of identifying network loops in accordance with yet another exemplary embodiment of the present invention;
FIG. 5A shows a schematic diagram of a flow purge system according to an exemplary embodiment of the present invention;
FIG. 5B shows a schematic diagram of a flow purge system according to yet another exemplary embodiment of the present invention;
FIG. 6 shows a schematic structural diagram of a flow cleaning apparatus according to an exemplary embodiment of the present invention;
fig. 7 is a schematic structural diagram illustrating an apparatus for identifying a network loop according to an exemplary embodiment of the present invention;
fig. 8 is a schematic structural diagram illustrating an apparatus for identifying a network loop according to still another exemplary embodiment of the present invention.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Fig. 1A is a schematic diagram of a network architecture to which the embodiment of the present application is applied, and fig. 1B is a schematic diagram of a network architecture to which the embodiment of the present application is applied; in the network architecture shown in fig. 1A, the traffic cleansing device 11 is disposed on the server 12 side near the destination, and the possibility of bypassing the induced network loop is: the first router 13 uses the BGP protocol to pull the traffic from the first router 13 to the traffic cleaning device 11, and after the traffic cleaning device 11 finishes cleaning the traffic, the traffic is injected back to the first router 13, and at this time, Policy-Based Routing (PBR for short) needs to be configured to direct the cleaned traffic to the second router 14, so that repeated pulling can be avoided. If the PBR configuration is in error, the network will have loops, rendering the network unusable.
In the network architecture shown in fig. 1B, the traffic cleansing device 15 is disposed on the server 16 side near the source, and the possibility of bypassing the induced network loop is: the traffic pulled by the traffic cleaning device 15 is addressed to an external IP, for example, if the user IPA inside the server 16 needs to access the user IPB in the internet, the third router 17 needs to pull the IP address of the user IPB, so as to work normally, and if the attack detection is wrong, the IP address of the user IPA is pulled to the traffic cleaning device 15, so that the traffic cleaned by the traffic cleaning device 15 passes through the PBR and is directed to the fourth router 18, and the fourth router 18 finds that the IP address is the IP address of the user IPA, and still directs the traffic to the third router 17, so as to loop again.
The present application may recognize the network loops existing in the network architectures shown in fig. 1A and fig. 1B, for example, the traffic cleansing device 11 recognizes a data packet with TTL being 0 from the traffic pulled by the first router 13 (or the traffic cleansing device 15 recognizes a data packet with TTL being 0 from the traffic pulled by the third router 17), records the destination IP address with TTL being 0, counts the variation of TTL in the recorded data packet that needs to be sent to the destination IP address, and determines that the destination IP address exists in the network loop if it is found that the same data packet has TTL decrease at the traffic cleansing device 11 (or the traffic cleansing device 15), where the value of TTL decrease in each loop may be different according to the network architecture, as shown in fig. 1A, because the traffic cleansing device 11 is disposed at the server 12 end near the destination end, a network loop exists between the first router 13 and the flow cleaning device 11, so that the same data message is reduced by 1 hop after passing through the first router 13, and is pulled to the flow cleaning device 11 again; as shown in fig. 1B, since the traffic cleansing device 15 is disposed at the server 16 end of the near-source end, and a network loop exists among the first router 17, the second router 18, and the traffic cleansing device 15, the same data packet passes through the first router 17 and the second router 18, respectively reduces 1 hop, reduces 2 hops in total, and is pulled to the traffic cleansing device 15 again.
In addition, before further explanation, a Time-To-Live (TTL) field in the data packet in the present application is explained, where the TTL field is an 8-bit field in the IPv4 packet header, and specifies the maximum number of allowed network segments before the data packet is discarded by the router, and the TTL field is set by the sender of the data packet, and the value of the TTL field is modified by the router every Time the data packet passes through a router on the entire forwarding path from the source To the destination of the data packet. If the TTL is reduced to 0 before the data packet reaches the destination IP, the router discards the received data packet with TTL being 0 and sends a Control packet Protocol (ICMP) time delayed Message to the sender of the data packet.
For further explanation of the present application, the following examples are provided:
FIG. 2 illustrates a flow diagram of a method of identifying network loops in accordance with an exemplary embodiment of the present invention; as shown in fig. 2, the method comprises the following steps:
step 201, determining a first data message with survival time length less than a first preset threshold value from the dragged network flow and determining a destination IP address of the first data message;
step 202, determining a plurality of received second data messages which need to be sent to a destination IP address in a first set time period after the destination IP address of the first data message is determined;
step 203, determining whether a network loop exists in the destination IP address according to the survival time of the plurality of second data packets.
In step 201, the first preset threshold may be a smaller integer value, for example, the first preset threshold is 1 or 2, and the TTL in the first network message may be filtered to select a destination IP address that needs to monitor whether a network loop exists.
In steps 202 and 203, the first set time period may be set by a user of the flow cleaning apparatus or may be statistically obtained through experiments, for example, the first set time period is 1 second. In an embodiment, the amount of TTL decrease in the data packets that need to be sent to the destination IP address may be counted in a first set time period, and if it is monitored that the TTL of the same second data packet is continuously decreased in the first set time period and is decreased to be smaller than a second preset threshold in the first set time period, it may be determined that the destination IP address corresponding to the data packet is abnormal, and if it is detected that a plurality of second data packets are all abnormal in the first set time period, it may be determined that the destination IP address has a network loop.
As can be seen from the above description, in the embodiment of the present application, a first data packet with a survival time length smaller than a first preset threshold is determined from the dragged network traffic, a destination IP address of the first data packet is determined, and whether a network loop exists in the destination IP address is determined according to the survival time lengths of a plurality of second data packets that need to be sent to the destination IP address, so that the network loop can be found in time and the IP address with the network loop is stopped being dragged, thereby avoiding the network loop from affecting network availability.
FIG. 3 shows a flow diagram of a method of identifying network loops according to yet another exemplary embodiment of the invention; as shown in fig. 3, the method comprises the following steps:
step 301, determining a first data message with survival time length less than a first preset threshold from the dragged network flow and determining a destination IP address of the first data message;
step 302, recording a destination IP address of the first data message in an IP address list for monitoring a network loop;
step 303, determining a plurality of received second data messages which need to be sent to the destination IP address within a first set time period after the destination IP address of the first data message is determined;
step 304, determining whether a set number of survival durations reduced to a second preset threshold exist in a plurality of survival durations corresponding to a plurality of second data messages within a first set time period, if so, executing step 305, and if not, executing step 306;
step 305, if the set number of survival durations which are reduced to a second preset threshold value exist in the plurality of survival durations corresponding to the plurality of second data messages, determining that a network loop exists in the destination IP address;
step 306, if the set number of survival durations reduced to the second preset threshold do not exist in the plurality of survival durations corresponding to the plurality of second data messages, determining that the destination IP address does not have a network loop;
step 307, in a second set time period after the destination IP address is determined to have no network loop, continuing to monitor the data packet from the destination IP address.
The description of steps 301 and 303 refers to the related description of the embodiment shown in fig. 2, and will not be described in detail here.
In step 302, in an embodiment, the IP address list for monitoring the network loop may be stored in the traffic cleansing device, so that the traffic cleansing device may identify whether the destination IP address of the towed traffic exists on the IP address list for monitoring the network loop.
In step 304, in an embodiment, the set number may be set by a provider of the flow cleaning apparatus, and the application does not limit the specific number of the set number.
In step 306 and step 307, in an embodiment, the destination IP address may be continuously monitored for a second set time period, and no processing is performed on the destination IP address, and if the destination IP address does not meet the above-mentioned specification of step 304 within the second set time period, the destination IP address is not monitored.
As an exemplary scenario, a data message a, a data message B, a data message C, and a data message D need to be pulled to a traffic cleaning device by a router, and it is detected that TTL of the data message a is 0 (or may be a smaller integer such as 1 or 2), where the data message a is a first data message in this application, a destination IP address of the data message a is recorded, and the destination IP address is determined to be 1.1.1.1, and in the following 1 second, data messages E, F, and G are detected to be sent to 1.1.1.1, where the data messages E, F, and G are second data messages in this application, where the data messages E, F, and G come from different source IP addresses, TTL of the data messages E, F, and G are 128, 126, and 125 respectively, if the data message E, the data message F and the data message G are looped to the flow cleaning device again within the first set time period, the TTL of the data message E, the TTL of the data message F and the TTL of the data message G are 127, 125 and 124, respectively, after multiple loops are performed within the first set time period, the TTL of the data message E, the TTL of the data message F and the TTL of the data message G are continuously reduced until the TTL of the data message E, the TTL of the data message F and the TTL of the data message G is reduced to 0 or smaller than a second preset threshold, and it can be determined that the destination IP address 1.1.1.1.1 has a network loop.
When it is detected that there are a large number (for example, 1000 data packets) of data packets that need to be sent to the 1.1.1.1, for example, it is determined from the 1000 data packets that the TTL of 100 (the set number in this application) data packets, which is similar to the TTL of the data packet E, the TTL of data packet F, and the TTL of data packet G, will be continuously decreased until the TTL is 0 or smaller than a second preset threshold, that is, it can be determined that a network loop exists according to the TTL of the 100 data packets.
On the basis of the beneficial technical effects of the foregoing embodiments, the present embodiment determines whether the set number of survival durations reduced to the second preset threshold exists in the plurality of survival durations corresponding to the plurality of second data messages within the first set time period, so that the destination IP address having the loop is identified by the reduction amount of the survival duration, and the flexibility of the traffic cleansing service provider is greatly improved.
FIG. 4 shows a flow diagram of a method of identifying network loops in accordance with yet another exemplary embodiment of the present invention; as shown in fig. 4, the method comprises the following steps:
step 401, if the destination IP address has a network loop, recording the destination IP address in a loop traction blacklist;
step 402, stopping the traction of the data message which needs to be sent to the destination IP address;
step 403, after detecting that the network loop corresponding to the destination IP address is repaired, deleting the destination IP address from the loop drag blacklist.
In this embodiment, by recording the destination IP address in the loop traction blacklist, after the destination IP address of the network loop is identified, the traffic traction on the destination IP address can be stopped, thereby avoiding secondary traction on the destination IP address; and when the network loop corresponding to the destination IP address is detected to be repaired, deleting the destination IP address from the loop traction blacklist, thereby ensuring that the traffic can normally reach the server corresponding to the destination IP address.
FIG. 5A shows a schematic diagram of a flow purge system according to an exemplary embodiment of the present invention; as shown in fig. 5A, the flow cleaning system includes:
a traffic detection device 51, configured to detect a data packet belonging to an attack traffic in network traffic mirrored by a router (e.g., the first router 13 shown in fig. 1A or the third router 17 shown in fig. 1B);
and the flow cleaning device 52 is configured to identify a network loop through the TTL in the data packet belonging to the attack flow, and stop cleaning the network flow at the destination IP address of the network loop.
In this embodiment, the network loop is identified by TTL in the data packet, so that the traffic cleansing device 52 may stop cleansing the network traffic having the destination IP address of the network loop.
In one embodiment, the flow purge apparatus 52 may include:
the flow traction module 521 is configured to traction the data message belonging to the attack flow from the flow detection device to the flow cleaning module 521;
the traffic cleaning module 522 is configured to query whether a destination IP address of the data packet belonging to the attack traffic is recorded in the loop drawing blacklist 523, and stop drawing the destination IP address to the router if the destination IP address has a network loop, where the loop drawing blacklist 523 is configured to record the destination IP address having the network loop.
In an embodiment, the flow cleaning apparatus may further comprise:
a network loop identifying device 524, configured to determine, from data packets belonging to the attack traffic, a first data packet whose TTL is smaller than a first preset threshold, and determine a destination IP address of the first data packet; determining a plurality of received second data messages needing to be sent to the destination IP address in a first set time period after the destination IP address of the first data message is determined; determining whether a network loop exists in the destination IP address according to the TTL of the second data messages;
the destination IP address where the network loop exists is recorded in a loop drag blacklist.
The means 524 for identifying a network loop in this embodiment may be the means for identifying a network loop in the above embodiments, and therefore, the technical effects thereof can also be seen in the above embodiments, and will not be described in detail here.
FIG. 5B shows a schematic diagram of a flow purge system according to yet another exemplary embodiment of the present invention; as shown in fig. 5B, the flow cleaning system includes: a flow rate detection device 53 and a flow rate washing device 54; wherein,
a traffic detection device 53, configured to detect a data packet belonging to an attack traffic in network traffic mirrored by a router (e.g., the first router 13 shown in fig. 1A or the third router 17 shown in fig. 1B), and identify a network loop through TTL in the data packet belonging to the attack traffic;
and the traffic cleaning device 54 is configured to stop cleaning the network traffic having the destination IP address of the network loop after the traffic detection device 53 determines that the destination IP address of the data packet belonging to the attack traffic has the network loop.
In one embodiment, the flow purge device 54 may include:
the flow traction module 541 is configured to traction a data message belonging to an attack flow from the flow detection device to the flow cleaning module 542;
the traffic cleaning module 542 is configured to query whether a loop traction blacklist 531 in the traffic detection device 53 records a destination IP address of the data packet belonging to the attack traffic, and stop pulling the destination IP address to the router if the destination IP address has a network loop, where the loop traction blacklist 531 is configured to record the destination IP address having the network loop.
In one embodiment, the flow detection device 53 may include:
a traffic early warning module 532, configured to detect a data packet belonging to an attack traffic in network traffic mirrored by a router;
means 533 for identifying a network loop, configured to determine, from data packets belonging to an attack flow, a first data packet whose TTL is smaller than a first preset threshold, and determine a destination IP address of the first data packet; determining a plurality of received second data messages needing to be sent to the destination IP address in a first set time period after the destination IP address of the first data message is determined; determining whether a network loop exists in the destination IP address according to the TTL of the second data messages;
the destination IP address where the network loop exists is recorded in the loop drag blacklist 531.
The means 533 for identifying a network loop in this embodiment may be the means for identifying a network loop in the above embodiment, so the technical effect thereof can also be seen in the above embodiment, and will not be described in detail here.
According to the description, compared with the linkage of DDoS flow cleaning equipment in the prior art, the linkage of the DDoS flow cleaning equipment comprises DDoS attack early warning, DDoS flow traction scheduling and DDoS flow cleaning, and the purpose that which destination IP addresses are identified based on the change condition of the TTL of the dragged data message is realized, so that the network loop detection is realized at the flow cleaning equipment, the bypass BGP route traction is automatically stopped, the loop problem is discovered and solved, and the bypass traction and near source cleaning scheme is ensured.
The present application also proposes a schematic block diagram of a flow cleaning apparatus according to an exemplary embodiment of the present application, shown in fig. 6, corresponding to the above-described method of identifying network loops. Referring to fig. 6, at the hardware level, the traffic cleansing apparatus includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, but may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and runs the computer program to form a device for identifying the network loop on a logic level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Fig. 7 is a schematic structural diagram illustrating an apparatus for identifying a network loop according to an exemplary embodiment of the present invention; as shown in fig. 7, the means for identifying a network loop may include: a first determining module 71, a second determining module 72, a third determining module 73. Wherein:
a first determining module 71, configured to determine, from the dragged network traffic, a first data packet whose survival time is less than a first preset threshold, and determine a destination IP address of the first data packet;
a second determining module 72, configured to determine, within a first set time period after the first determining module 71 determines the destination IP address of the first data packet, a plurality of received second data packets that need to be sent to the destination IP address;
a third determining module 73, configured to determine whether a network loop exists in the destination IP address according to the survival time of the plurality of second data packets determined by the second determining module 72.
Fig. 8 is a schematic structural diagram illustrating an apparatus for identifying a network loop according to still another exemplary embodiment of the present invention; as shown in fig. 8, based on the embodiment shown in fig. 7, in an embodiment, the third determining module 73 may include:
a first determining unit 731, configured to determine whether there are a set number of survival durations that are reduced to a second preset threshold in a plurality of survival durations corresponding to a plurality of second data messages within a first set time period;
a second determining unit 732, configured to determine that the destination IP address exists in the network loop if the first determining unit 731 determines that there are a set number of survival durations that decrease to a second preset threshold.
In an embodiment, the means for identifying a network loop may further comprise:
a fourth determining module 74, configured to determine that the destination IP address does not have a network loop if the first determining unit 731 determines that the set number of survival durations reduced to the second preset threshold do not exist;
and a monitoring module 75, configured to continue to monitor the data packet from the destination IP address within a second set time period after the fourth determining module 74 determines that the destination IP address does not have a network loop.
In an embodiment, the means for identifying a network loop may further comprise:
a first recording module 76, configured to record the destination IP address in a loop drag blacklist if the third determining module 73 determines that the destination IP address has a network loop;
the control module 77 is configured to stop pulling the data packet that needs to be sent to the destination IP address after the third determining module 73 determines that the destination IP address has the network loop;
and the deleting module 78 is configured to delete the destination IP address from the loop drag blacklist recorded by the first recording module 76 after detecting that the network loop corresponding to the destination IP address is repaired.
In an embodiment, the means for identifying a network loop may further comprise:
a second recording module 79, configured to record the destination IP address of the first data packet determined by the first determining module 71 in an IP address list for monitoring a network loop.
As can be seen from the above embodiments, the present application realizes that which destination IP addresses have network loop conditions are identified based on the variation of TTL of the data packet that is dragged, thereby realizing network loop detection at the traffic cleaning device, and automatically stopping bypass BGP route dragging, thereby finding and solving the loop problem, and ensuring the schemes of bypass dragging and near-source cleaning.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (17)
1. A method of identifying a network loop, the method comprising:
determining a first data message with survival time length less than a first preset threshold value from the dragged network flow and determining a destination IP address of the first data message;
determining a plurality of received second data messages which need to be sent to the destination IP address in a first set time period after the destination IP address of the first data message is determined;
and determining whether a network loop exists in the destination IP address according to the survival time of the plurality of second data messages.
2. The method of claim 1, wherein the determining whether a network loop exists in the destination IP address according to the time-to-live of the second data packets comprises:
determining whether a set number of survival time durations reduced to a second preset threshold exist in a plurality of survival time durations corresponding to the second data messages within the first set time period;
and if the set number of the survival time lengths reduced to the second preset threshold exist, determining that the destination IP address has a network loop.
3. The method of claim 2, further comprising:
if the set number of survival time lengths reduced to the second preset threshold value does not exist, determining that the network loop does not exist in the destination IP address;
and continuously monitoring the data message from the destination IP address in a second set time period after the destination IP address is determined not to have the network loop.
4. The method of claim 1, further comprising:
if the destination IP address has a network loop, recording the destination IP address in a loop traction blacklist;
stopping the traction of the data message which needs to be sent to the destination IP address;
and after detecting that the network loop corresponding to the destination IP address is repaired, deleting the destination IP address from the loop traction blacklist.
5. The method according to any one of claims 1-4, further comprising:
and recording the destination IP address of the first data message in an IP address list for monitoring a network loop.
6. An apparatus for identifying a network loop, the apparatus comprising:
the first determining module is used for determining a first data message with survival time length smaller than a first preset threshold value from the dragged network flow and determining a destination IP address of the first data message;
a second determining module, configured to determine, within a first set time period after the first determining module determines the destination IP address of the first data packet, a plurality of received second data packets that need to be sent to the destination IP address;
and a third determining module, configured to determine whether a network loop exists in the destination IP address according to the survival durations of the plurality of second data packets determined by the second determining module.
7. The apparatus of claim 6, wherein the third determining module comprises:
a first determining unit, configured to determine whether a set number of survival durations that are reduced to a second preset threshold exist in a plurality of survival durations corresponding to the plurality of second data messages within the first set time period;
and a second determining unit, configured to determine that a network loop exists in the destination IP address if the first determining unit determines that the set number of survival durations reduced to the second preset threshold exist.
8. The apparatus of claim 7, further comprising:
a fourth determining module, configured to determine that the destination IP address does not have the network loop if the first determining unit determines that the set number of survival durations reduced to the second preset threshold do not exist;
and the monitoring module is used for continuously monitoring the data message from the destination IP address in a second set time period after the fourth determining module determines that the destination IP address does not have the network loop.
9. The apparatus of claim 6, further comprising:
the first recording module is used for recording the destination IP address in a loop traction blacklist if the third determining module determines that the destination IP address has a network loop;
the control module is used for stopping the traction of the data message which needs to be sent to the destination IP address after the third determining module determines that the destination IP address has a network loop;
and the deleting module is used for deleting the destination IP address from the loop traction blacklist recorded by the first recording module after the network loop corresponding to the destination IP address is detected to be repaired.
10. The apparatus of any of claims 6-9, further comprising:
and the second recording module is used for recording the destination IP address of the first data message determined by the first determining module in an IP address list for monitoring a network loop.
11. A flow cleaning apparatus, comprising:
a processor; a memory for storing the processor-executable instructions;
the processor is used for determining a first data message with survival time length smaller than a first preset threshold value from the dragged network flow and determining a destination IP address of the first data message;
determining a plurality of received second data messages which need to be sent to the destination IP address in a first set time period after the destination IP address of the first data message is determined;
and determining whether a network loop exists in the destination IP address according to the survival time of the plurality of second data messages.
12. A flow purge system, comprising: flow detection equipment and flow cleaning equipment; wherein,
the flow detection device is used for detecting data messages belonging to attack flow in the network flow of the router mirror image;
and the flow cleaning equipment is used for identifying a network loop through the survival time in the data message belonging to the attack flow and stopping cleaning the network flow with the destination IP address of the network loop.
13. The system of claim 12, wherein the flow purge apparatus comprises:
the flow traction module is used for drawing the data message which belongs to the attack flow and is from the flow detection equipment to the flow cleaning module;
the flow cleaning module is used for inquiring whether a target IP address of a data message belonging to attack flow is recorded in a loop traction blacklist, if the target IP address has a network loop, the target IP address is stopped to be dragged to the router, and the loop traction blacklist is used for recording the target IP address having the network loop.
14. The system of claim 13, wherein the flow purge apparatus further comprises:
a device for identifying a network loop, configured to determine a first data packet whose survival time is less than a first preset threshold from data packets belonging to the attack traffic, and determine a destination IP address of the first data packet; determining a plurality of received second data messages which need to be sent to the destination IP address in a first set time period after the destination IP address of the first data message is determined; determining whether a network loop exists in the destination IP address according to the survival time of the plurality of second data messages;
recording the destination IP address for which the network loop exists in the loop drag blacklist.
15. A flow purge system, comprising: flow detection equipment and flow cleaning equipment; wherein,
the flow detection device is used for detecting data messages belonging to attack flow in network flow mirrored by a router and identifying a network loop through survival time length in the data messages belonging to the attack flow;
and the flow cleaning equipment is used for stopping cleaning the network flow of the target IP address of the network loop after the flow detection equipment determines that the target IP address of the data message belonging to the attack flow has the network loop.
16. The system of claim 15, wherein the flow purge apparatus comprises:
the flow traction module is used for drawing the data message which belongs to the attack flow and is from the flow detection equipment to the flow cleaning module;
the traffic cleaning module is configured to query whether a loop traction blacklist in the traffic monitoring device records a destination IP address of a data packet belonging to an attack traffic, and if the destination IP address has a network loop, stop pulling the destination IP address to the router, where the loop traction blacklist is used to record the destination IP address having the network loop.
17. The system of claim 15, wherein the flow detection device comprises:
the traffic early warning module is used for detecting data messages which belong to attack traffic in network traffic mirrored by the router;
a device for identifying a network loop, configured to determine a first data packet whose survival time is less than a first preset threshold from data packets belonging to the attack traffic, and determine a destination IP address of the first data packet; determining a plurality of received second data messages which need to be sent to the destination IP address in a first set time period after the destination IP address of the first data message is determined; determining whether a network loop exists in the destination IP address according to the survival time of the plurality of second data messages;
recording the destination IP address for which the network loop exists in the loop drag blacklist.
Priority Applications (6)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510612181.8A CN106549820A (en) | 2015-09-23 | 2015-09-23 | Recognize method, device, flow cleaning equipment and the system of network loop |
| TW105107425A TWI713501B (en) | 2015-09-23 | 2016-03-10 | Method, device, flow cleaning equipment and system for identifying network loop |
| US15/246,000 US10243969B2 (en) | 2015-09-23 | 2016-08-24 | Method and system for identifying network loops |
| PCT/US2016/048670 WO2017052970A1 (en) | 2015-09-23 | 2016-08-25 | Method and system for identifying network loops |
| EP16849291.6A EP3353957B1 (en) | 2015-09-23 | 2016-08-25 | Method and system for identifying network loops |
| US16/269,438 US10798110B2 (en) | 2015-09-23 | 2019-02-06 | Method and system for identifying network loops |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510612181.8A CN106549820A (en) | 2015-09-23 | 2015-09-23 | Recognize method, device, flow cleaning equipment and the system of network loop |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106549820A true CN106549820A (en) | 2017-03-29 |
Family
ID=58283491
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510612181.8A Pending CN106549820A (en) | 2015-09-23 | 2015-09-23 | Recognize method, device, flow cleaning equipment and the system of network loop |
Country Status (5)
| Country | Link |
|---|---|
| US (2) | US10243969B2 (en) |
| EP (1) | EP3353957B1 (en) |
| CN (1) | CN106549820A (en) |
| TW (1) | TWI713501B (en) |
| WO (1) | WO2017052970A1 (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109347678A (en) * | 2018-11-06 | 2019-02-15 | 杭州迪普科技股份有限公司 | A kind of determination method and device of route loop |
| CN114095426A (en) * | 2021-09-28 | 2022-02-25 | 浪潮软件科技有限公司 | Message processing method and device of VPP platform |
| CN114172861A (en) * | 2021-12-07 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Identification method and device of network address translation equipment |
| CN114500117A (en) * | 2022-04-15 | 2022-05-13 | 北京全路通信信号研究设计院集团有限公司 | Looped network Master configuration error judgment method and device based on looped network storm flow characteristics |
| CN115244910A (en) * | 2021-02-01 | 2022-10-25 | 北京小米移动软件有限公司 | Network path determination method, device, communication equipment and storage medium |
| CN117880135A (en) * | 2023-12-29 | 2024-04-12 | 北京马赫谷科技有限公司 | Routing loop detection method, device, equipment and storage medium |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11750622B1 (en) | 2017-09-05 | 2023-09-05 | Barefoot Networks, Inc. | Forwarding element with a data plane DDoS attack detector |
| US11108812B1 (en) | 2018-04-16 | 2021-08-31 | Barefoot Networks, Inc. | Data plane with connection validation circuits |
| US11283704B2 (en) * | 2020-01-16 | 2022-03-22 | Cisco Technology, Inc. | Diagnosing and resolving issues in a network using probe packets |
| US11201887B1 (en) * | 2021-03-23 | 2021-12-14 | Lookingglass Cyber Solutions, Inc. | Systems and methods for low latency stateful threat detection and mitigation |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090161567A1 (en) * | 2007-12-21 | 2009-06-25 | At&T Labs, Inc. | Detection of routing loops based on time-to-live expiries |
| US20090320131A1 (en) * | 2008-06-18 | 2009-12-24 | Chiung-Ying Huang | Method and System for Preventing Malicious Communication |
| US20120240185A1 (en) * | 2000-09-25 | 2012-09-20 | Harsh Kapoor | Systems and methods for processing data flows |
| CN102916850A (en) * | 2012-08-23 | 2013-02-06 | 歌尔声学股份有限公司 | Computer network loop detecting method |
| US20150124587A1 (en) * | 2013-11-05 | 2015-05-07 | Cisco Technology, Inc. | Loop detection and repair in a multicast tree |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7028228B1 (en) | 2001-03-28 | 2006-04-11 | The Shoregroup, Inc. | Method and apparatus for identifying problems in computer networks |
| EP1595193B1 (en) * | 2001-08-14 | 2012-11-21 | Cisco Technology, Inc. | Detecting and protecting against worm traffic on a network |
| US6717922B2 (en) | 2002-03-04 | 2004-04-06 | Foundry Networks, Inc. | Network configuration protocol and method for rapid traffic recovery and loop avoidance in ring topologies |
| US7154861B1 (en) | 2002-04-22 | 2006-12-26 | Extreme Networks | Method and system for a virtual local area network to span multiple loop free network topology domains |
| US7725708B2 (en) | 2004-10-07 | 2010-05-25 | Genband Inc. | Methods and systems for automatic denial of service protection in an IP device |
| JP2007274535A (en) * | 2006-03-31 | 2007-10-18 | Fujitsu Ltd | Loop specifying apparatus and loop specifying method in layer 3 network |
| US7969898B1 (en) | 2007-03-09 | 2011-06-28 | Cisco Technology, Inc. | Technique for breaking loops in a communications network |
| CN101431449B (en) * | 2008-11-04 | 2011-05-04 | 中国科学院计算技术研究所 | Network flux cleaning system |
| JP5673663B2 (en) * | 2010-02-19 | 2015-02-18 | 日本電気株式会社 | Loop detection apparatus, system, method and program |
| US9060322B2 (en) | 2011-10-25 | 2015-06-16 | Aruba Networks, Inc. | Method and system for preventing loops in mesh networks |
| US8767730B2 (en) * | 2012-02-10 | 2014-07-01 | Futurewei Technologies, Inc. | Virtual local area network identifier substitution as time to live method |
| US9258213B2 (en) | 2012-05-30 | 2016-02-09 | Cisco Technology, Inc. | Detecting and mitigating forwarding loops in stateful network devices |
| US9270693B2 (en) * | 2013-09-19 | 2016-02-23 | The Boeing Company | Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes |
| US9954891B2 (en) * | 2015-05-18 | 2018-04-24 | Verizon Digital Media Services Inc. | Unobtrusive and dynamic DDoS mitigation |
-
2015
- 2015-09-23 CN CN201510612181.8A patent/CN106549820A/en active Pending
-
2016
- 2016-03-10 TW TW105107425A patent/TWI713501B/en not_active IP Right Cessation
- 2016-08-24 US US15/246,000 patent/US10243969B2/en active Active
- 2016-08-25 EP EP16849291.6A patent/EP3353957B1/en active Active
- 2016-08-25 WO PCT/US2016/048670 patent/WO2017052970A1/en unknown
-
2019
- 2019-02-06 US US16/269,438 patent/US10798110B2/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120240185A1 (en) * | 2000-09-25 | 2012-09-20 | Harsh Kapoor | Systems and methods for processing data flows |
| US20090161567A1 (en) * | 2007-12-21 | 2009-06-25 | At&T Labs, Inc. | Detection of routing loops based on time-to-live expiries |
| US20090320131A1 (en) * | 2008-06-18 | 2009-12-24 | Chiung-Ying Huang | Method and System for Preventing Malicious Communication |
| CN102916850A (en) * | 2012-08-23 | 2013-02-06 | 歌尔声学股份有限公司 | Computer network loop detecting method |
| US20150124587A1 (en) * | 2013-11-05 | 2015-05-07 | Cisco Technology, Inc. | Loop detection and repair in a multicast tree |
Non-Patent Citations (2)
| Title |
|---|
| 王佳: "基于专家系统的网络故障检测方法的研究及实现", 《中国优秀硕士学位论文全文数据库》 * |
| 荣利: "网络流量的监测与控制方法的设计与实现", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109347678A (en) * | 2018-11-06 | 2019-02-15 | 杭州迪普科技股份有限公司 | A kind of determination method and device of route loop |
| CN109347678B (en) * | 2018-11-06 | 2021-05-25 | 杭州迪普科技股份有限公司 | Method and device for determining routing loop |
| CN115244910A (en) * | 2021-02-01 | 2022-10-25 | 北京小米移动软件有限公司 | Network path determination method, device, communication equipment and storage medium |
| CN115244910B (en) * | 2021-02-01 | 2024-01-23 | 北京小米移动软件有限公司 | Network path determination method, device, communication equipment and storage medium |
| CN114095426A (en) * | 2021-09-28 | 2022-02-25 | 浪潮软件科技有限公司 | Message processing method and device of VPP platform |
| CN114172861A (en) * | 2021-12-07 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Identification method and device of network address translation equipment |
| CN114172861B (en) * | 2021-12-07 | 2024-04-19 | 北京天融信网络安全技术有限公司 | Network address translation equipment identification method and device |
| CN114500117A (en) * | 2022-04-15 | 2022-05-13 | 北京全路通信信号研究设计院集团有限公司 | Looped network Master configuration error judgment method and device based on looped network storm flow characteristics |
| CN114500117B (en) * | 2022-04-15 | 2022-07-05 | 北京全路通信信号研究设计院集团有限公司 | Looped network Master configuration error judgment method and device based on looped network storm flow characteristics |
| CN117880135A (en) * | 2023-12-29 | 2024-04-12 | 北京马赫谷科技有限公司 | Routing loop detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| US20170085531A1 (en) | 2017-03-23 |
| US10243969B2 (en) | 2019-03-26 |
| EP3353957A4 (en) | 2019-09-04 |
| EP3353957A1 (en) | 2018-08-01 |
| TW201713094A (en) | 2017-04-01 |
| EP3353957B1 (en) | 2022-07-06 |
| WO2017052970A1 (en) | 2017-03-30 |
| TWI713501B (en) | 2020-12-21 |
| US20190190924A1 (en) | 2019-06-20 |
| US10798110B2 (en) | 2020-10-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106549820A (en) | Recognize method, device, flow cleaning equipment and the system of network loop | |
| CN101399749B (en) | Method, system and device for packet filtering | |
| US8272044B2 (en) | Method and system to mitigate low rate denial of service (DoS) attacks | |
| US8281397B2 (en) | Method and apparatus for detecting spoofed network traffic | |
| US7444404B2 (en) | Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses | |
| JP4545647B2 (en) | Attack detection / protection system | |
| CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
| US7389537B1 (en) | Rate limiting data traffic in a network | |
| JP2008512970A (en) | Method and system for security of network traffic | |
| US20050018608A1 (en) | Progressive and distributed regulation of selected network traffic destined for a network node | |
| US8327444B2 (en) | Suspicious autonomous system path detection | |
| JP6939726B2 (en) | Attack response location selection device and attack response location selection method | |
| Agarwal et al. | DDoS mitigation via regional cleaning centers | |
| CN107018116B (en) | Method, device and server for monitoring network traffic | |
| CN106059939B (en) | Message forwarding method and device | |
| JP4279324B2 (en) | Network control method | |
| JP4244356B2 (en) | Traffic analysis and control system | |
| JP4260848B2 (en) | Network control method | |
| JP2014229982A (en) | Offensive traffic countermeasure system, path controller, offensive traffic countermeasure method and path control program | |
| CN110768975B (en) | Flow cleaning method and device, electronic equipment and machine readable storage medium | |
| US9319277B2 (en) | Network router employing enhanced prefix limiting | |
| KR20110009813A (en) | Attack monitoring and tracing system and method in all ip network environment | |
| CN110166359A (en) | A kind of message forwarding method and device | |
| JP4326423B2 (en) | Management device and unauthorized access protection system | |
| JP4516612B2 (en) | Network control method and network control device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170329 |